When using the SSH agent, it is possible to add a SSH certificate (https://smallstep.com/blog/use-ssh-certificates/) along with the corresponding private key file. When using a PKCS11 key such as the Yubikey, the current SSH agent implementation does not look for a certificate, and adding only a certificate without a private key file is not possible.
Note: the original ssh-agent is also lacking this feature.
Given that the agent protocol is reimplemented with yubikey-agent, it would be great to be able to add a certificate so that the agent is able to deliver both public keys and certificates.
The original Yubico doc and OpenSSH docs recommend using the CertificateFile option, but that's not an option when jumping from one ssh host to another (i.e. running ssh from a host we logged in with the certificate), because the way it works is by forwarding the agent socket, which in turn does not provides the certificate. The only currently existing solution with a hardware key is to distribute the ssh certificate on every host we plan to jump from, which is not feasible at scale.
When using the SSH agent, it is possible to add a SSH certificate (https://smallstep.com/blog/use-ssh-certificates/) along with the corresponding private key file. When using a PKCS11 key such as the Yubikey, the current SSH agent implementation does not look for a certificate, and adding only a certificate without a private key file is not possible.
Note: the original ssh-agent is also lacking this feature.
Given that the agent protocol is reimplemented with yubikey-agent, it would be great to be able to add a certificate so that the agent is able to deliver both public keys and certificates.
The original Yubico doc and OpenSSH docs recommend using the CertificateFile option, but that's not an option when jumping from one ssh host to another (i.e. running ssh from a host we logged in with the certificate), because the way it works is by forwarding the agent socket, which in turn does not provides the certificate. The only currently existing solution with a hardware key is to distribute the ssh certificate on every host we plan to jump from, which is not feasible at scale.
See https://bugzilla.mindrot.org/show_bug.cgi?id=2472 for the never-fulfilled feature request on the OpenSSH agent.